---
title: Secret Scanning
sidebar:
  order: 10
description: Learn how to detect and prevent sensitive information leaks in your
  codebase using automated secret scanning, customizable patterns, and
  configuration options.
keywords:
  - secret scanning
  - code security
  - pattern detection
  - regex secrets
  - secure code
hero:
  image:
    alt: A simple 8-bit style illustration features a desktop computer displaying a
      code window with lines blacked out to represent redacted information,
      accompanied by a shield icon marked with an asterisk to indicate security
      or secret protection, and a gear icon symbolizing customizable settings.
      The design uses five solid geometric colors, with no people, text,
      background, shadows, gradients, or three-dimensional effects, fitting a
      corporate look at a small 128x128 pixel size.
    file: ./secret-scanning.png

---

One should not have secrets lying around in their codebase, but sometimes it happens.
To help you avoid this, we have a secret scanning feature that will scan your codebase for secrets
and warn you if any are found.

:::note

The secret scanning feature is by no means exhaustive and should not be relied upon as the sole
method of securing your codebase. It is a best-effort feature that will help you avoid common mistakes.

:::

## Supported patterns

By default set of secret patterns is almost empty and
defined at https://github.com/microsoft/genaiscript/tree/main/packages/core/src/config.json.

:::caution

This list is is not a complete list by design, and needs to be updated to match your needs.

:::

You can find examples of patterns at https://github.com/mazen160/secrets-patterns-db/.

## Scanning messages

By default, all messages sent to LLMs are scanned and redacted if they contain secrets.

You can disable secret scanning alltogher by setting the `secretScanning` option to `false` in your script.

```js
script({
    secretScanning: false,
})
```

## Configuring patterns

If you have a specific pattern that you want to scan for, you can configure it in your
[configuration file](/genaiscript/reference/configuration-files).

```json title="genaiscript.config.json"
{
    "secretPatterns": {
        ...,
        "my secret pattern": "my-secret-pattern-regex"
    }
}
```

- do not use `^` or `$` in your regex pattern

### Disabling patterns

Set the pattern key to `null` or `false` to disable it.

```json title="genaiscript.config.json"
{
    "secretPatterns": {
        "OpenAI API Key": null
    }
}
```

## CLI

You can test your patterns against files using the CLI.

```sh
genaiscript parse secrets *
```
